Network Security, Vulnerability Management

Standing up for the freedom of information, with the help of a security bug

In this instance, the public fervor isn't over the release of secret diplomatic cables but a U.K. academic paper detailing a vulnerability in chip-and-PIN.

Really, though, the differences between a thesis paper published by University of Cambridge computer science student Omar Choudary, which highlights a dangerous security flaw in a system designed to reduce credit card fraud, and the hundreds of cables (and it is just hundreds) so far released by whistleblower website WikiLeaks seem to end there.

On one side is a faction that believes that information that exposes poor practices, whether it is by government or by a powerful lobby such as the banking industry, is meant to be free. On the other side is a faction that hates being embarrassed and will pull out all the stops to save face.

Really, it's that simple.

So I was pleased to read today that Cambridge professor Ross Anderson staunchly is defending the student over his decision to publish the academic research, despite being pressured to censor the paper by a powerful lobbying group, the U.K. Cards Association, which represents that nation's largest banks.

In a response letter to the association, Anderson wrote:

You seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. 

I wish I could say the same about organizations such as Amazon, PayPal and others that have faced political pressures from the U.S. government to cut ties with WikiLeaks and which justified their ultimate acquiescence by citing "terms of service" violations.

But back to Cambridge. I've written in the past about the benefits that transparency and openness can do for the security industry. By making issues known publicly, researchers are able to hold the feet of those responsible to the fire, forcing them to get better at what they're doing.

Now, certainly, there is a responsible way to go about disclosure. We've extensively covered this debate this year, and I do agree that if a researcher discovers a security vulnerability, they have the responsibility to notify the vendor in question, giving them reasonable time to fix the issue. Then, they should be free to publish their findings.

In the case of the chip-and-PIN flaw known as "no-PIN," it appears the vulnerability was already known and little was done about. All the graduate student did was expand on the scope of the problem, months after it initially was disclosed, and offer recommendations for patching it.

Anderson concluded: "You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it."

I admire Anderson, but I worry not everyone will have the courage he has to stand up to those more powerful.

And if this story, and the WikiLeaks saga, are any indication, corporate and government interests are slowly but surely chipping away at academic and journalistic freedoms, which really are foundational concepts to a true democracy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.